Article

Antecedents and Consequences of Data Breaches: A Systematic Review

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Research on data breaches is scattered across disciplines and methodologies. To help consolidate it, we review 43 articles on data breaches’ antecedents and 83 on their consequences. We find eight different categories each for antecedents and consequences. Most research is empirical-quantitative and employs an organizational unit of analysis. Theoretical lenses discovered range from a data breach as organizational crisis to criminological and privacy-specific theories. Our review provides researchers and practitioners with a synthesis of extant research and elaborates on future implications for data breach literature.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... It is not surprising that more B2C data breaches are litigated and discussed in the media compared to B2B data breaches; especially since B2C data breaches involve consumer data impacting the daily lives of millions of people, unlike B2B breaches, where business information is primarily compromised (Pollard, 2017). Given the traction and public attention of B2C data breaches, researchers have started investigating the impact of data breaches in the consumer context more pointedly (e. g., Labrecque et al., 2021;, but less attention has been given to the B2B context (Schlackl et al., 2022). ...
... Furthermore, B2B data breach vulnerabilities (perceptions of harm) are connected to a company's financial loss since the nature of B2B transactions involves larger monetary amounts than those in B2C situations. In fact, B2B and B2C contexts are different and justify separate investigations such that B2B marketers cannot rely solely on data breach insights or implications from their B2C counterparts (Hill & de Zubielqui, 2023;Schlackl et al., 2022;Swani et al., 2014). ...
... This research addresses the growing call in recent years to understand B2B privacy and data breaches in greater depth (de Jong et al., 2021;Hill & de Zubielqui, 2023;Labrecque et al., 2021;Schlackl et al., 2022;Zhang & Watson IV, 2020). To our knowledge, no research to this date has explored the impact of B2B data breaches from a buyer's perspective (see Table 2). ...
Article
Data breaches are becoming a growing concern causing customer data vulnerability levels to increase. Arguably, data breach vulnerabilities are more detrimental in business-to-business (B2B) rather than in business-to-consumer (B2C) settings; yet more is known about B2C than B2B. Building on social contract theory, this research explores the impact of buyer data breach vulnerability if a buyer or buyer firm's information is compromised by a major supplier. An empirical model is proposed and tested. Results from 606 B2B buyers indicate that buyer vulnerabilities reduce buyer trust, whereas it increases their level of dissatisfaction, and their intent to take protective actions and switch to another supplier. Buyer trust increases relationship commitment and brand reputation, while dissatisfaction decreases them. Trust and dissatisfaction fully mediate the relationship from vulnerability to relationship commitment and brand reputation. Loss of a buyer's (buyer' firm) information impacts not only (supplier-) buyer-related outcomes but also (buyer-) supplier-related outcomes, indicating spillover effects. Furthermore, results indicate the moderating effects of the affected party (whose information is compromised) on the buyer-and supplier-related outcomes as well as relationship quality factors. These findings indicate that B2B data breaches can have detrimental consequences. To mitigate these negative outcomes, managers should emphasize building and sustaining relationship quality, as well as employ good privacy practices through transparent and clear policies and giving users control of their data. An appropriate communication plan to inform the victims of the data breach may also help mitigate the effects of data loss.
... Data breaches have become increasingly common as businesses become more reliant on the Internet and digitized processes [1][2][3]. Simultaneously, the costs associated with a data breach have also increased. In 2006, the average expenditure on addressing a data breach in the U.S. stood at approximately USD 3.5 million, which soared to about USD 8.64 million by 2020, marking an increase of over 140% within a span of 14 years [4]. ...
... In a CEO survey conducted in late 2019, half of the participating American CEOs were "extremely concerned" about cyber threats to their business and listed such threats as the single biggest danger to their companies [5]. Among cyber threats, data breaches are rated as the most important issue for security managers, as a recent Delphi study of CISO priorities has shown [3,6]. ...
... Hall and Wright [42] analyzed the breaches between 2014 and 2018 and their overall conclusion was that cyber-attacks leading to breaches occur in nearly every industry, more so in the healthcare industry. Schlackl et al. [3] reviewed 43 articles on data breaches prior to their occurrence and 83 for post-occurrence impact. Their theoretical framework encompassed a variety of lenses, ranging from viewing a data breach as an organizational crisis to exploring theories related to criminality and privacy. ...
Article
Full-text available
While data breaches are a frequent and universal phenomenon, the characteristics and dimensions of data breaches are unexplored. In this novel exploratory research, we apply machine learning (ML) and text analytics to a comprehensive collection of data breach litigation cases to extract insights from the narratives contained within these cases. Our analysis shows stakeholders (e.g., litigants) are concerned about major topics related to identity theft, hacker, negligence, FCRA (Fair Credit Reporting Act), cybersecurity, insurance, phone device, TCPA (Telephone Consumer Protection Act), credit card, merchant, privacy, and others. The topics fall into four major clusters: “phone scams”, “cybersecurity”, “identity theft”, and “business data breach”. By utilizing ML, text analytics, and descriptive data visualizations, our study serves as a foundational piece for comprehensively analyzing large textual datasets. The findings hold significant implications for both researchers and practitioners in cybersecurity, especially those grappling with the challenges of data breaches.
... For instance, researchers have explored the psychological and social consequences of cyberstalking and interpersonal online crimes (e.g., Fissel & Reyns, 2020;Stevens et al., 2021). Several studies have also documented the various emotional and financial harms associated with online fraud schemes (Button & Cross, 2017;Cross, 2017;DeLiema & Witt, 2023), and data breaches (Labrecque et al., 2021;Schlackl et al., 2022). ...
... The significant negative relationship between data losses and defacements also aligns with expectations as most defacements are not performed to cause a loss of data (Holt et al., 2020). The relationship between data breaches and financial loss is also relatively clear given that such cyberattacks cause major financial losses to the target and the individuals whose information is acquired by attackers (R. Anderson et al., 2019;Schlackl et al., 2022). The use of specific methods in furtherance of an attack also aligned with aspects of SCP. ...
Article
There has been a dramatic increase in research on terrorism and extremist activities over the last two decades. Despite this growth, the majority of studies focus on either the harm caused by ideologically-motivated violence in physical spaces, or the ways in which individuals radicalize and organize in online spaces. There is growing evidence that traditional extremist groups and terrorists engage in cyberattacks, such as computer hacking, in support of their ideological beliefs. Little is known about the degree to which ideologically-motivated cyberattacks cause harm to victims, and the correlates of harm depending on the nature of the attack. This study attempts to address this gap in the literature through a quantitative analysis of 425 victims of 246 cyberattacks captured in the open-source Extremist CyberCrime Database (ECCD). Using situational crime prevention, this analysis attempts to identify the significant factors associated with the loss of time, data, and financial harm experienced by victims of cyberattacks performed by ideological actors with and without state sponsorship. The findings demonstrate that the forms of attack reported, as well as the unique attack methods, such as zero-day vulnerabilities, are more likely to lead victims to report the loss of time to the victim, as well as sensitive data and financial losses. The target type is also associated with the loss of both time and sensitive data, however there is no relationship between targets and the financial losses reported from cyberattacks. Additionally, financial harm was more likely to result from non-state sponsored ideological actors, such as racial and ethnically motivated individuals and jihadists. This analysis demonstrates support for the application of situational crime prevention frameworks traditionally used for physical terrorism to virtual ideological attacks. Further, this study demonstrates the importance of assessing cyberattacks as a form of ideologically-motivated crime. Finally, the findings demonstrate the need for increased resources to improve the state of cybersecurity for individuals, businesses, and government agencies to reduce the risk of harm associated with cyberattacks performed by both nation-state sponsored and non-state ideological actors alike.
... Schlackl et al. [25] reviewed relevant academic papers about data breaches, emphasizing their antecedents and consequences, summarizing the literature on what influences a data breach and the subsequent repercussions. Schlackl et al. [25] also indicated which fields are more studied than others. ...
... Schlackl et al. [25] reviewed relevant academic papers about data breaches, emphasizing their antecedents and consequences, summarizing the literature on what influences a data breach and the subsequent repercussions. Schlackl et al. [25] also indicated which fields are more studied than others. Equivalently, Patterson et al. [26] systematically reviewed the literature on data breaches and identified future research, pointing out that organizations have not fully maximized the potential benefits of learning from incidents and have not conducted thorough evaluations to determine the effectiveness of their learning processes. ...
Article
Full-text available
A data breach is the unauthorized disclosure of sensitive personal data, and it impacts millions of individuals annually in the United States, as reported by Privacy Rights Clearinghouse. These breaches jeopardize the physical safety of the individuals whose data are exposed and result in substantial economic losses for the affected companies. To diminish the frequency and severity of data breaches in the future, it is imperative to research their causes and explore preventive measures. In pursuit of this goal, this study considers a dataset of data breach incidents affecting companies listed on the New York Stock Exchange and NASDAQ. This dataset has been augmented with additional information regarding the targeted company. This paper employs statistical visualizations of the data to clarify these incidents and assess their consequences on the affected companies and individuals whose data were compromised. We then propose mitigation controls based on established frameworks such as the NIST Cybersecurity Framework. Additionally, this paper reviews the compliance scenario by examining the relevant laws and regulations applicable to each case, including SOX, HIPAA, GLBA, and PCI-DSS, and evaluates the impacts of data breaches on stock market prices. We also review guidelines for appropriately responding to data leaks in the U.S., for compliance achievement and cost reduction. By conducting this analysis, this work aims to contribute to a comprehensive understanding of data breaches and empower organizations to safeguard against them proactively, improving the technical quality of their basic services. To our knowledge, this is the first paper to address compliance with data protection regulations, security controls as countermeasures, financial impacts on stock prices, and incident response strategies. Although the discussion is focused on publicly traded companies in the United States, it may also apply to public and private companies worldwide.
... Verizon [5] separates human error activities from activities in response to an external threat; in other words, phishing and ransomware attacks are considered separate from pure human mistakes. According to Schlackl et al. [40], human factors can be part of the reason for a data breach and are comprised of social engineering attacks and human error. Social engineering attacks are generated by an external entity, while human error is internal and accidental. ...
... Social engineering attacks are generated by an external entity, while human error is internal and accidental. The Verizon report [5] and its database are consistent with Schlackl et al.'s [40] analysis, which separates social engineering attacks from human error. Thus, this taxonomy only includes accidental human errors leading to breaches. ...
Article
Full-text available
The unintentional activities of system users can jeopardize the confidentiality, integrity, and assurance of data on information systems. These activities, known as unintentional insider threat activities, account for a significant percentage of data breaches. A method to mitigate or prevent this threat is using smart systems or artificial intelligence (AI). The construction of an AI requires the development of a taxonomy of activities. The literature review focused on data breach threats, mitigation tools, taxonomy usage in cybersecurity, and taxonomy development using Endnote and Google Scholar. This study aims to develop a taxonomy of unintentional insider threat activities based on narrative descriptions of the breach events in public data breach databases. The public databases were from the California Department of Justice, US Health and Human Services, and Verizon, resulting in 1850 examples of human errors. A taxonomy was constructed to specify the dimensions and characteristics of objects. Text mining and hierarchical cluster analysis were used to create the taxonomy, indicating a quantitative approach. Ward’s agglomeration coefficient was used to ensure the cluster was valid. The resulting top-level taxonomy categories are application errors, communication errors, inappropriate data permissions, lost media, and misconfigurations.
... 2022). According to the US Department of Health and Human Services, a data breach is an unauthorized access or disclosure of data, as defined by the Privacy Rule set of standards, that compromises the security and privacy of protected (medical) information (Breach Notification Rule, 2022;Schlackl, Link, Hoehle, 2022). ...
... The authors of the paper (Schlackl, Link, Hoehle, 2022) highlighted the multitude of different studies and approaches developed in different environments and the need to integrate the knowledge gained on this topic. They performed a systematic search of the scientific literature on the causes and consequences of breaches of information confidentiality and integrity. ...
Article
Full-text available
The subject of the work is electronic medical record linkage threat analysis and modeling with the use of the submitted data breaches list published by the U.S. Department of Health and Human Services. Multipronged data analysis with the use of statistics utilities and data visualization has been conducted. The model forecasting the number of data breaches based on a time series mathematical model has also been built. The article reviews the tools and techniques used in data security analysis and presents practical examples of modeling and analysis that can be used in practice to improve data protection. It was shown how important it is to protect personal data, especially medical data, and what tools can be used in the educational process of data analytics for students to effect data analysis, trend assessment, and data prediction.
... According to Schlackl et al. (2022), cybersecurity incidents produce internal and external consequences for targeted companies. Perera et al. (2022) presented that cybersecurity incidents can impact companies' cyber reputation, resulting in the loss of customer trust and loyalty and affecting stock value negatively. ...
... Except for reputation, all other consequences reflect direct monetary losses. In a systematic review that analyzes data breaches, Schlackl et al. (2022) enumerated eight consequences of this type of incident, which are considered internal or external, according to the impact. Besides legal and financial aspects, the internal consequences affect operations and the workforce. ...
Article
Full-text available
Cybersecurity incidents, like data breaches and ransomware, are on the rise, and their consequences can affect companies from different perspectives. On the one hand, a well-known consequence involves the technical aspects of ensuring the continuity of companies’ operations. On the other hand, cybersecurity incidents’ repercussions can impact companies’ stock market value and negatively influence customers’ perceptions about companies’ reputations. Currently, social media platforms establish an additional concern for companies because of their capability to intensify incident reactions. This study analyzed tweets, news, and stock prices associated with four Brazilian organizations’ victims of data breaches and ransomware to answer the research question: what are the impacts of cybersecurity incidents’ public consequences on the reputation and the stock value of Brazilian organizations? Through the analysis performed, we proposed an anatomy of incidents’ repercussions covering aspects like the main events observed in the timelines and peculiarities of every incident type. The stock share prices analysis did not allow us to infer a relationship between the disclosure of incidents and stock values. By assessing Twitter’s user-generated content, we observed that data breaches reverberate more than ransomware.
... In addition to the aspect of prediction, another increasingly important requirement is the protection of sensitive user-generated data [Schlackl et al., 2022]. In most of the studies found, invasive data were used that require extra protection measures when transmitted and stored. ...
Article
Full-text available
This paper proposes a solution for predicting churn with privacy preservation by using edge computing. With the increasing popularity of smartphones, users are becoming more demanding regarding mobile app usage. Installing and removing an app are frequent routines and the ease of uninstallation can facilitate churn, which is customer abandonment. Companies seek to minimize churn since the cost of acquiring new customers is much higher than retaining current ones. To predict possible abandonment, organizations are increasingly adopting artificial intelligence (AI) techniques. Nevertheless, customers are becoming more concerned about their data privacy. In this context, we propose a technique called CANCEL, which creates attributes based on users' temporal behavior, with edge computing to predict churn locally, without transmitting users' data. The paper presents the evaluation of CANCEL in comparison to baseline solutions, the development of a mobile app integrated with the proposed method and deployed as an edge computing solution.
... SCM explains metaphorically that accidents happen when unsafe events find a trajectory through a series of holes in these barriers (cheese slices). Similarly, systems with fewer privacy defensive lines are more vulnerable than systems with more defensive lines [82,83]. ...
Article
Full-text available
Privacy by design is nowadays recognized as essential in bringing data privacy into software systems. However, developers still face many challenges in reconciling privacy and software requirements and implementing privacy protections in software systems. One emerging trend is the adoption of microservices architectures—they bring in some qualities that can benefit privacy by design. The main goal of this study is to adapt privacy by design to the qualities brought by microservices. The main focus is at the architectural level, where the main structural decisions are made. A systematic literature review is adopted to identify a set of privacy models that underscore significant differences in software systems’ protection using microservices. From the literature review, a decision framework is developed. The decision framework provides guidance and supports design decisions in implementing data privacy using microservices. The framework helps select and integrate different privacy models. An illustration of using the framework, which considers the design of an electronic voting system, is provided. This study contributes to closing the gap between regulation and implementation through design, where decisions related to data privacy are integrated with decisions on architecting systems using microservices.
... Kaur et al. 44 Ukwandu et al. 45 Data breach Exposes confidential, sensitive or protected information to an unauthorised person. Schlackl et al. 46 Human error Refers to an employee either doing something they should not or failing to do something they should. Approximately 88 per cent of all data breaches are caused by an employee's mistake. ...
Article
Full-text available
This paper describes research to identify and classify cyberattacks in the aviation industry in order to present the true reality of airports as a critical infrastructure and the threats that airport operators face. We conducted a critical review related to types of cyberattacks and supported by updated studies to analyse cyberattacks in the aviation industry from 2000 to 2023 due to the increase of attacks occurring in this period. Data was collected from verifiable sources such as the Center for Strategic and International Studies (CSIS), Federal Aviation Administration, EUROCONTROL, European Union Aviation Safety Agency (EASA), European Union Agency for Cybersecurity (ENISA) and KonBriefing. The findings of this study revealed that recent years have seen an increase in the number of distributed denial-of-service (DDoS) and ransomware cyberattacks at airports by foreign countries motivated by political and economic reasons, diplomatic espionage or even as part of a cyber war. This is particularly worrying, because the most influential international organisations and countries are recognising the existence of a cyber war in political, espionage, terrorism, safety, financial and commercial terms. The new contribution of this research lies in the fact that many uncertainties surround the cyberattacks that airport operators and commercial airlines face on a daily basis. Cyberattacks in the aviation industry are more common than most people realise, and the issue is that sometimes this information is silenced by governments, airport and airline operators to avoid unnecessary social alarm. Link: https://www.ingentaconnect.com/contentone/hsp/jcs/2024/00000008/00000001/art00006
... Information security and data protection incidents can have serious negative consequences, both internally, affecting organisations in terms of operations, workforce retention, legal issues and financial losses, and externally, impacting organisational image and reputation (Schlackl et al., 2022). Thus, organisations are increasingly investing in information security to protect their information assets (Andersson et al., 2022). ...
... They also recommend that future research investigate factors that influence consumers in their decision to patronize businesses after data breaches have occurred. Schlackl et al. (2022) conduct an extensive review of existing literature on data breaches. They conclude that substantial knowledge gaps pertaining to data breaches exist and that previous research had a focus on standard databases. ...
Article
Full-text available
This paper explores the dynamics between value-added services, intermediary brands, and consumer privacy concerns in shaping attitudes toward blockchain-enabled consumer services. Grounded in the Antecedents-Privacy Concerns-Outcomes (APCO) framework, we develop a theoretical model that we test in three experimental studies with a total of 1613 participants, utilizing verbal scenarios featuring blockchain applications for international money transfer and hotel booking. Our research reveals that complete disintermediation via pure peer-to-peer blockchain transactions is unlikely. Consumers prefer blockchain applications offering supplementary services like call centers, password assistance, and cancellation options. As consumers become familiar with blockchain technology, privacy concerns intensify due to its distributed and immutable storage. The fears of data breaches are more pronounced when blockchain applications are offered by unknown startups as opposed to well-known Big Tech companies. However, privacy-conscious consumers also value the prospect of distancing themselves from big-data ecosystems by embracing blockchain solutions from startups. Our research extends the APCO framework by clarifying how privacy concerns, brand-based heuristics, and technological attributes interact. For managerial implications, blockchain applications necessitate re-intermediation to meet consumer preferences. Potential intermediaries, including Big Tech firms, startups, and industry incumbents, face unique challenges in developing and marketing blockchain-enabled consumer services.
... In addition, external pressure may be exerted on management to have the incidents resolved quicker which could exacerbate the stress levels on management causing them to think irrationally. When confronted with challenging situations, people not only suffer from stress but also experience a decrease in productivity [28]. Individuals tend to react to incidents with stress and may avoid contact with other individuals if they believe they cannot effectively exert control over possible threats [8]. ...
Article
Full-text available
The object of this research is the implications of cybersecurity breaches on the leaders of accounting firms in KwaZuluNatal, South Africa. The research employed a qualitative approach with interviews as the primary data collection technique. The researcher adopted a rigorous analytical framework, utilising different scholarly sources to analyse and explain the intricate experiences of firm leaders. The study revealed that leaders of accounting firms experience psychological, financial, and social consequences due to cybersecurity breaches. It highlights the emotional impact, including anxiety and increased stress. The fear of potential job losses was found to be one issue leaders were worried about after the data breach. The stress from dealing with the aftermath of data breaches af fected their family relationships. In addition, leaders experienced low productivity and increased pressure dealing with the media and organization stakeholders and the stigma associated with data breaches. Given the critical role that accounting firms play in the financial ecosystem and the sensitive nature of the data they handle, it is impera tive that cybersecurity is prioritised. However, studies have focused on the financial implications of cybersecurity breaches on businesses, but less attention has been paid to the psychological, social, and financial implications of breaches on firm leaders. The findings are significant for academic discourse but also provide leaders with strategies to mitigate the adverse effects of breaches, while also offering a framework for other researchers and practitioners in different regions and sectors to understand and study the phenomenon further.
... Regardless of origin, crises require urgent responses to both limit damage and initiate recovery (Hermann, 1963). In addition, addressing complexities arising from crises requires a multi-step process that includes diagnosing causes, assessing severity, stabilizing performance, implementing recovery strategies, and evaluating performance outcomes (Pearson & Clair, 1998;Schlackl et al., 2022). ...
Chapter
Full-text available
When organizations face performance shortfalls serious enough to threaten their long-term viability, their top management teams (TMTs) must successfully implement turnaround strategies to revitalize their financial and competitive health. Adverse cybersecurity events (e.g., data breaches) represent an increasingly important strategic threat that can prompt organizational performance decline and require TMTs to implement a turnaround process. Despite increasing cyberattack frequency and mounting evidence of the performance damage they can inflict, however, only limited research, to date, has examined information systems failures as causal factors in organizational decline. Accordingly, we examine these events within the context of organizational decline and turnaround research. To account for event complexity causing organizational decline, we first develop a typology of different cyber event types. We then employ this typology to examine cyberattacks’ role on organizational decline and, in turn, how TMTs can respond to turn around organizational performance, based both on failure type and severity. Next, we note how research methods and data sources often employed in cybersecurity research could help overcome some of turnaround research’s current conceptual (e.g., defining decline commencement) and methodological (e.g., accessing data) challenges. We conclude by suggesting avenues for crosspollinating turnaround and cybersecurity research.
... Although this seems like a foundational question within computer security, most review articles focus on other questions such as the impact of cyberattacks (Anderson et al. 2019;Schlackl, Link, and Hoehle 2022;Spanos and Angelis 2016), victimisation frequencies (Breen, Herley, and Redmiles 2022;Reep-van den Bergh and Junger 2018) and future research directions (Eling, McShane, and Nguyen 2021;Falco et al. 2019). An exception is provided by Woods and Böhme (2021) who collect studies with the goal of answering the question 'Which security interventions effectively reduce harm?' Discouragingly, the authors conclude that an answer is 'unavailable based on current evidence'. ...
Article
Cybersecurity policy should guide firms towards implementing the most effective security controls and procedures. However, there is no authority that collects evidence and ranks cybersecurity controls by efficacy. The evidence needed by policymakers is distributed across academic studies and industry white papers. To address this gap, we conduct a meta-review of studies that empirically evaluate the efficacy of cybersecurity interventions. Attack surface management and patch cadence were consistently the first and second most effective interventions. Reduced cyber insurance claims frequency was associated with migrating to cloud email and avoiding specific VPN providers. Multi-factor authentication was effective in protecting individual accounts, although inconsistent MFA-implementation undermines efficacy when rolled out across an organisation. The evidence suggests effectiveness is driven by how a control is implemented more than by a binary yes-no regarding whether it is implemented. Thus, policy measures that mandate specific controls are unlikely to result in risk reduction. Instead, policymakers should aim to support organisations in administering security controls and making risk-based decisions. Successful examples can be seen in policy measures that improve the efficiency of patch management, such as funding for the US National Vulnerability Database, CERT/CC, and the Known Exploited Vulnerabilities catalog.
... Successful cybersecurity attacks can cause various types of the damage, such as a financial damage, reputational damage, unauthorized access to data, etc. In addition, the costs associated with the cybersecurity incidents also increase [2] and the EU is no exception. Moreover, the cybersecurity has become one of the most important security priorities [3]. ...
Article
Full-text available
Cybersecurity attacks have increased in recent years, both on the EU and global levels, in terms of their number and impact. The public administration sector is particularly at risk, as this is where most cybersecurity attacks take place. It is therefore important to develop comprehensive information security strategies on both the organizational and national level. Strategies help to set up a relatively long-term focus and priorities. The aim of our study is to understand how the EU member countries deal with such challenges. To achieve this, we analyze three indices: the level of penetration (PL), level of digitalization (DL), and global cybersecurity index (GCI). We examine individual national strategies to provide a basis for a comparative analysis which can serve as a reference for improving the long-term cybersecurity in the public administration.
... Gossip broadly refers to evaluative communication that expresses the judgment of an absent third party, and, in the online environment, it refers to the unsanctioned transmission of consumer personal data . Gossip theory provides valuable insights into consumers' responses to firms' practices of gathering and usage of consumer personal information as well as attempts to breach privacy boundaries (e.g., Schlackl et al., 2022). ...
Article
Full-text available
Purpose In the online environment, consumers increasingly feel vulnerable due to firms’ expanding capabilities of collecting and using their data in an unsanctioned manner. Drawing from gossip theory, this research focuses on two key suppressors of consumer vulnerability: transparency and control. Previous studies conceptualize transparency and control from rationalistic approaches that overlook individual experiences and present a unidimensional conceptualization. This research aims to understand how individuals interpret transparency and control concerning privacy vulnerability in the online environment. Additionally, it explores strategic approaches to communicating the value of transparency and control. Design/methodology/approach An interpretivism paradigm and phenomenology were adopted in the research design. Data were collected through semi-structured interviews with 41 participants, including consumers and experts, and analyzed through thematic analysis. Findings The findings identify key conceptual dimensions of transparency and control by adapting justice theory. They also reveal that firms can communicate assurance, functional, technical and social values of transparency and control to address consumer vulnerability. Originality/value This research makes the following contributions to the data privacy literature. The findings exhibit multidimensional and comprehensive conceptualizations of transparency and control, including user, firm and information perspectives. Additionally, the conceptual framework combines empirical insights from both experiencers and observers to offer an understanding of how transparency and control serve as justice mechanisms to effectively tackle the issue of unsanctioned transmission of personal information and subsequently address vulnerability. Lastly, the findings provide strategic approaches to communicating the value of transparency and control.
... However, PII is not a secure authentication factor. In addition to frequent data breaches nowadays [28] and threats revealed by previous stuides [4][29] [30], our study reveals a new concerning fact: when people use many apps simultaneously (which is true revealed by our user study), SMS OTP becomes the sole protection because of the PII exposure in apps and businessrelated interactions of two or more apps, rendering the PaFA mechanism useless. Striking a balance between security and usability remains a significant challenge. ...
... Schlackl et al. [68] Password attack A password attack is used to exploit the authentication of user accounts. Password attacks involve exploiting a broken authorisation vulnerability in the system combined with automatic password attack tools that speed up the guessing and cracking of passwords. ...
Article
Full-text available
The purpose of this paper is to analyse the cybersecurity in online travel agencies (OTAs) and hotel sectors to protect users' private data in smart cities. Methodologically, this research uses a sample of information about cyberattacks that occurred during the period of 2000-2023 in companies operating as OTAs and in the travel, tourism, and food sectors, which was obtained from research articles. Then, we had to expand the research to include updated information about cyberat-tacks from digital newspapers, regulatory sources, and state data breach notification sites like CSIS, KonBriefing, EUROCONTROL, and GlobalData. The findings of the current research prove that hotels and OTAs were constantly exposed to cyberattacks in the period analysed, especially by data breaches and malware attacks; in fact, this is the main novelty of this research. In addition, these incidents were severe for both guests and tourism companies because their vulnerabilities and consequences affect the reputation of companies and smart cities where these firms operate, as well as consumer confidence. The results also showed that most of the cyberattacks examined in this manuscript were aimed at stealing information about the companies' and users' private data such as email addresses; credit card numbers, security codes, and expiration dates; and encoded magstripe data; among many other types of data. Cyberattacks and cyberthreats never disappear completely in the travel and tourism sectors because these illegal activities are closely related to the hacker's thirst for power, fame, and wealth.
... When interacting with New Media, they often have to provide personal information, such as personal data, e-mail addresses, and others [56]. If this data is not properly guarded by platforms or companies that provide New Media services, there is a risk of identity theft or misuse of personal information [57], [58]. ...
Conference Paper
This systematic literature review (SLR) study aims to analyze the role of New Media as a Tool to Improve Creative Thinking, with relevant articles from 2018 to 2023 taken from reputable international journals. It uses three research questions (RQ) to explore New Media's relevance in stimulating creativity. The results indicate that interactive platforms such as social media and online collaboration tools positively influence creative thinking skills. Interaction through New Media allows individuals to share ideas, discuss, and be exposed to various points of view, all of which stimulate creative thinking. In addition, New Media also facilitates the creative process of solving problems and generating original ideas. The immersive experiences offered by this technology can enhance the exploration of ideas and increase the ability to think out-of-the-box. While New Media offers great potential to enhance creativity, there are also potential risks, such as false information, media addiction, and privacy concerns. Therefore, awareness of the wise use of New Media needs to be increased, especially in education and everyday life. Overall, this literature review provides in-depth insight into the role of New Media in enhancing creative thinking skills and driving innovation. With the right approach, New Media can be an effective tool in stimulating creative thinking and encouraging the creation of original ideas beneficial for future social and technological developments.
... As cyber-attacks grow in sophistication and size, the requirement for powerful network intrusion detection systems (NIDS) to protect the integrity and security of these critical digital infrastructures has become critical [15,16]. Data breaches [17], service disruptions, and the costs associated with recovery and remediation activities can all result in significant financial losses for enterprises [6]. Furthermore, intangible expenses such as brand reputation and customer trust can have far-reaching effects that go beyond direct financial consequences [18,19]. ...
Article
Full-text available
Computer networks have become the backbone of our interconnected world in today's technologically driven landscape. Unauthorized access or malicious activity carried out by threat actors to acquire control of network resources, exploit vulnerabilities, or undermine system integrity are examples of network intrusion. ZSL(Zero-Shot Learning) is a machine learning paradigm that addresses the problem of detecting and categorizing objects or concepts that were not present in the training data. . Traditional supervised learning algorithms for intrusion detection frequently struggle with insufficient labeled data and may struggle to adapt to unexpected assault patterns. In this article We have proposed a unique zero-shot learning hybrid partial label model suited to a large image-based network intrusion dataset to overcome these difficulties. The core contribution of this study is the creation and successful implementation of a novel zero-shot learning hybrid partial label model for network intrusion detection, which has a remarkable accuracy of 99.12%. The suggested system lays the groundwork for future study into other feature selection techniques and the performance of other machine learning classifiers on larger datasets. Such research can advance the state-of-the-art in intrusion detection and improve our ability to detect and prevent the network attacks. We hope that our research will spur additional research and innovation in this critical area of cybersecurity.
... It is common for data breaches to involve sensitive consumer information like social security numbers, medical history, and information about insurance, banking, or finances (Identity Theft Resource Center 2023) and to have enormous financial implications for firms, with the average cost per incident in the United States exceeding $9.05 million (IBM Security 2021). Other grave repercussions include damaging consumer and supplier relationships, injuring employee morale, causing price increases, and disrupting marketing investments (IBM 2022;Schlackl, Link, and Hoehle 2022). For example, in 2017, when Verizon was negotiating to acquire Yahoo, the latter experienced a massive data breach (3 billion accounts; Womack 2017) that delayed the deal and caused a $925 million reduction in the sale price. ...
Article
Data breaches have the potential to weaken employee morale, corporate reputations, and customer and supplier relationships, while also disrupting marketing investments and financial performance. Research on reducing their frequency and harm focuses on tactical solutions though breaches represent serious, even existential threats to firms. To date, research has not attempted to simultaneously address the closely connected phenomena of preventing and recovering from data breaches. The authors propose that corporate social responsibility (CSR) is a strategic variable offering dual protection: reducing the likelihood of data breaches and attenuating harm when breaches occur. Drawing on Stakeholder Theory, the authors distinguish between internal (addressing primary stakeholders) and external (addressing secondary stakeholders) CSR. Study 1 shows external CSR has no prophylactic effect while moderate and high levels of internal CSR are equally effective at preventing data breaches compared to low levels of internal CSR. Study 2 assesses mitigation following a data breach by examining (a) short-term effects (in the form of an event study on cumulative abnormal returns) and (b) long-term effects (with time series analysis of Tobin's Q). The results suggest internal CSR props up financial performance only at high levels while the positive effect of external CSR is short-lived.
... A systematic review of antecedents and consequences of data breaches by Schlackl et al [26] explored antecedent categories for managerial (security investments and policies, business partnerships, and IT governance), technological (security technologies and system auditing), organizational (size and industry), and regulatory factors (US data breach notification laws and regulatory enforcement). They reported that larger organizations and organizations with EHRs reported more data breaches, whereas organizations that conducted financial audits reported fewer data breaches. ...
Article
Background Health care data breaches are the most rapidly increasing type of cybercrime; however, the predictors of health care data breaches are uncertain. Objective This quantitative study aims to develop a predictive model to explain the number of hospital data breaches at the county level. Methods This study evaluated data consolidated at the county level from 1032 short-term acute care hospitals. We considered the association between data breach occurrence (a dichotomous variable), predictors based on county demographics, and socioeconomics, average hospital workload, facility type, and average performance on several hospital financial metrics using 3 model types: logistic regression, perceptron, and support vector machine. Results The model coefficient performance metrics indicated convergent validity across the 3 model types for all variables except bad debt and the factor level accounting for counties with >20% and up to 40% Hispanic populations, both of which had mixed coefficient directionality. The support vector machine model performed the classification task best based on all metrics (accuracy, precision, recall, F1-score). All the 3 models performed the classification task well with directional congruence of weights. From the logistic regression model, the top 5 odds ratios (indicating a higher risk of breach) included inpatient workload, medical center status, pediatric trauma center status, accounts receivable, and the number of outpatient visits, in high to low order. The bottom 5 odds ratios (indicating the lowest odds of experiencing a data breach) occurred for counties with Black populations of >20% and <40%, >80% and <100%, and >40% but <60%, as well as counties with ≤20% Asian or between 80% and 100% Hispanic individuals. Our results are in line with those of other studies that determined that patient workload, facility type, and financial outcomes were associated with the likelihood of health care data breach occurrence. Conclusions The results of this study provide a predictive model for health care data breaches that may guide health care managers to reduce the risk of data breaches by raising awareness of the risk factors.
... The number of large-scale and high-profile data breaches, such as WikiLeaks and Sony Hack, is rapidly growing [10]. Since data breaches can lead to public relations disasters, their prevention and detection have become top priorities for enterprise managers [11]. The current data breach studies mainly focus on three areas [12]. ...
Article
Full-text available
Data governance aims to optimize the value derived from data assets and effectively mitigate data-related risks. The rapid growth of data assets increases the risk of data breaches. One key solution to reduce this risk is to classify data assets according to their business value and criticality to the enterprises, allocating limited resources to protect core data assets. The existing methods rely on the experience of professionals and cannot identify core data assets across business scenarios. This work conducts an empirical study to address this issue. First, we utilized data lineage graphs with expert-labeled core data assets to investigate the experience of data users on core data asset identification from a scenario perspective. Then, we explored the structural features of core data assets on data lineage graphs from an abstraction perspective. Finally, one expert seminar was conducted to derive a set of universal indicators to identify core data assets by synthesizing the results from the two perspectives. User and field studies were conducted to demonstrate the effectiveness of the indicators.
... However, companies have been subject to invasion by malicious people or organizations. Information leakage can damage companies' reputations and competitiveness (Fazenda & Fagundes, 2015;Proença & Borbinha, 2018;Schlackl, Link, & Hoehle, 2022). In this sense, the adequacy of organizations to standard information security management systems like ISO 27001 can allow them to conduct and effectively protect critical information, reflect the assessment of information processes, take a proactive attitude about information security, and show that, in compliance with an international standard, the institution can be more trustworthy (ABNT, 2013). ...
Article
Full-text available
Implementing a new management system in organizations that already have a certified management system can be challenging. This research discussed enabler factors that influence the integration of an information security management system certified following ISO 27001 with a quality management system certified following ISO 9001. Five factors were identified as the basis of this research: Implementation Model, Human Resources, Resources Availability, Standard Issues, and Standards Integration. Four factors were validated through the qualitative study with consultants specialized in implementing and integrating these standards. Then, by prioritizing these factors through the Analytic Hierarchy Process method, it was found that the most relevant aspect is Standards Integration for the managers from the institution object of study. For specialist consultants, the most pertinent factor is Human Resources.
... Além do aspecto de previsão, outro requisito cada vez mais importanteé a proteção aos dados sensíveis gerados pelo usuário [Schlackl et al. 2022]. Na maioria dos trabalhos encontrados, foram utilizados dados invasivos que necessitam de medidas extras de proteção ao serem transmitidos e armazenados. ...
Conference Paper
Full-text available
Este trabalho propõe uma solução para prever o churn (abandono de usuários) com preservação da privacidade usando a computação de ponta. Com a crescente popularidade dos smartphones, os usuários estão se tornando mais exigentes em relação ao uso de aplicativos móveis. As instalações e desinstalações de aplicativo são eventos frequentes e a facilidade de desinstalação pode facilitar a rotatividade, que é o abandono do cliente. As empresas buscam minimizar a rotatividade, pois o custo de aquisição de novos clientes é muito maior do que o de retenção dos atuais. Para prever o possível abandono, as organizações estão adotando cada vez mais técnicas de inteligência artificial (IA). No entanto, os clientes estão cada vez mais preocupados com a privacidade de seus dados. Nesse contexto, propomos uma técnica chamada CANCEL, que cria atributos com base no comportamento temporal dos usuários, com computação de ponta para prever o churn localmente, sem transmitir os dados dos usuários. O artigo apresenta a avaliação do CANCEL em comparação com as soluções de base, o desenvolvimento de um aplicativo móvel integrado ao método proposto e implantado como uma solução de computação de borda.
Article
Full-text available
Amidst Saudi Arabia’s digital transformation, this study investigates the impact of HR training on information security awareness in the finance and healthcare sectors. Grounded in an interpretivist paradigm, semi-structured interviews with 26 participants reveal HR’s crucial role in fostering a security-aware culture and facilitating collaboration between HR and IT departments. Key findings highlight five main themes: organizational culture and approach, collaboration and communication, training and education mechanisms, measurement and feedback, and sectoral insights. The study addresses literature gaps by presenting a novel perspective on HR’s role in information security, emphasizing the balance between security and individual rights. Despite sector-specific limitations, the research underscores the importance of collaborative cybersecurity efforts and suggests areas for future exploration, particularly in data consistency. This research provides valuable theoretical and practical implications for the evolving landscape of information security in Saudi Arabia, aligning with the nation’s Vision 2030 goals.
Article
There has been a significant increase in the number of academic studies published on the relationship between corruption and innovation in recent years. Various relationships have been conceptualized, including the “sand” and “grease” perspectives which propose that corruption reduces and increases innovation, respectively. In light of interest in the topic showing growing momentum, we review the literature on corruption and innovation for the purpose of reconciling these proposed theoretical perspectives. Following a systematic literature review methodology, we explain the composition of the literature and map the key conceptualizations of the corruption-innovation relationship. We link the variables, measures, and theories employed in the literature to proposed conceptual relationships. Furthermore, we outline the key patterns in which the sanding or greasing impact is more likely to be observed. Based on the systematic review, we propose a research agenda for corruption-innovation research and discuss policy implications.
Article
The role of big data as a catalyst for the knowledge-based economy is widely recognized, serving as a backbone for powering algorithms. However, prior work has predominantly focused on the supply side of having the “right” datasets or considering data as a “ready-to-use” asset. This approach has resulted in a limited perspective on how to enable value creation from data. There is a need to transition from viewing data as a “ready-to-use” resource to engaging in the co-design of data-based products and services and explore how data-driven practices impact current business practices and organizations. This is why we invite researchers to delve deeper into data-driven design and management practices. The goal is to move ‘beyond data fads’ to better understand the opportunities unveiled by data and explore what management of data-driven organizations entails. This editorial aims to introduce this viewpoint, outline the articles featured in this special issue, and propose directions for future research. The insights garnered from the special issue highlight the multifaceted role of data in enhancing organizational capabilities, spanning from design thinking and disruptive innovation to supply chain management, as well as the importance of innovation intermediaries and ecosystems.
Article
Purpose This study aims to explore the spillover effects of data breaches from a consumer perspective in the e-commerce context. Specifically, we investigate how an online retailer’s data breach affects consumers’ privacy risk perceptions of competing firms, and further how it affects shopping intention for the competitors. We also examine how the privacy risk contagion effect varies depending on the characteristics of competitors and their competitive responses. Design/methodology/approach We conducted two scenario-based experiments with surveys. To assess the spillover effects and the moderating effects, we employed an analysis of covariance. We also performed bootstrapping-based mediation analyses using the PROCESS macro. Findings We find evidence for the privacy risk contagion effect and demonstrate that it negatively influences consumers’ shopping intention for a competing firm. We also find that a competitor’s cybersecurity message is effective in avoiding the privacy risk contagion effect and the competitor even benefits from it. Originality/value While previous studies have examined the impacts of data breaches on customer perceptions of the breached firm, our study focuses on customer perceptions of the non-breached firms. To the best of the authors’ knowledge, this study is one of the first to provide empirical evidence for the negative spillover effects of a data breach from a consumer perspective. More importantly, this study empirically demonstrates that the non-breached competitor’s competitive response is effective in preventing unintended negative spillover in the context of the data breach.
Article
CrossMark LogoCrossMark Read this article Share icon Back to Top ABSTRACT Data breach incidents are growing by the day and firms struggle to detect, defend, and respond to such breaches. Nowadays, security breaches are considered one of the major concerns for corporate organizations around the world. Hence, it is essential to assess the impact of such breaches on organizations. This article reports stock price reaction due to public disclosure of information security breach (ISB) incidents on publicly traded firms of India. Using the event study methodology on a sample of 120 publicly announced ISB incidents between January 2004 and April 2019 pertaining to 69 publicly listed firms of India, we found that exposure to an ISB incident exacerbates negative stock price reactions based on both one-factor market model and Fama-French three-factor model. On average, breached firms lost 0.55% of their market value within two days post the announcement of ISB incidents. Further, we found some factors that significantly negatively impacted Cumulative Abnormal Return (CAR). Important emerging factors such as type of compromised data, sentiment, subjectivity, and remedial strategy significantly impact CAR. According to our study findings, we suggest that firms should mention remedial measures in terms of apology and/or compensation in the ISB disclosure. Furthermore, the result indicates that investors penalize listed firms for subsequent ISB incidents. Thus, our findings may guide Chief Information Officers (CIOs), information security managers, and IT managers of publicly traded firms to devise various strategies in terms of IT security measures and content of the ISB disclosure.
Article
According to explosive and rapid development of flexible circuit technology, massive demand for wearable devices has arisen. Furthermore, wearable devices with integrated smartphones have contributed to a potential influence on online banking, digital healthcare service, and digital personal identification. This all-in-one device enables user to experience enhanced convenience; however, it also entails the inherent risk of cyber infiltration. A single successful hack into the device could endanger the security of user. Therefore, it is imperative to implement robust encryption and authentication mechanisms within wearable devices. Herein, we suggest a flexible and wearable encryption primitive based on an optical physically unclonable function which has a high capability of being embedded into a wearable device. Stochastic and unpredictable process-driven security concept, physically unclonable function (PUF) can operate as a solid identifier against online and offline intrusion. The physically unclonable tag consists of screen-printed Ag on the polyimide. The micro-scaled morphological characteristics of Ag-paste tag (APT) diverge as the fabrication step is repeated. In terms of PUF appliance potential (i.e., uniformity, reproducibility, uniqueness, and randomness) and real-case demonstration results (i.e., sensor-attached and smartphone-integrated operation) manifest that the APT functions as a strong encryption system embedded in a wearable device.
Article
Purpose This study aims to examine the relative effectiveness of functional and financial remedies in influencing customers' negative coping responses in the event of a data breach. It also uncovers the different mediating roles played by customers' feelings of anger and fear in the process of data breach recovery. This study thus differs from the literature, which has primarily focused on the impact of financial compensation and apologies for service failures in face-to-face environments. Design/methodology/approach Two scenario-based experiments were conducted to empirically validate the model. The authors received 302 copies of the questionnaire, of which 269 were valid. Findings This study finds that functional remedies are more effective than financial remedies when sensitive information has been compromised, but there is no significant difference between the effectiveness of the two remedies when nonsensitive information has been compromised. In addition, functional remedies influence negative coping behaviors directly and indirectly; the indirect effect is achieved through the reduction of fear and anger. Contrary to the authors' expectation, financial remedies do not have a direct effect on negative coping behaviors; they can indirectly affect negative coping behaviors by reducing anger but do not affect negative coping behaviors by reducing fear. Practical implications This study provides key insights into how to manage customer reactions in the event of a data breach, suggesting the use of carefully designed recovery strategies. Companies must attend to customers' specific emotional responses to manage their negative coping behaviors. Originality/value This study extends the limited literature on data breach recovery actions by investigating the different effectiveness of functional and financial remedies in the event of a data breach. It also uncovers how functional and financial recovery strategies affect customers' negative coping behaviors by revealing the different mediating effects of fear and anger.
Article
This article examines the negative consequences that can arise from the utilisation of innovative data practices implemented by organisations. While these technologies offer significant value, their improper implementation can lead to harmful practices that undermine the rights of individuals within societies. Through a systematic literature review of 383 articles employing the realistic evaluation theory, this study synthesises key findings to identify the contextual factors that contribute to these harmful practices. The results highlight the challenges posed by the characteristics of Big Data, often resulting in haphazard data implementation scenarios. Three critical mechanisms, namely data transparency, biases, and breaches, interact with these implementation contexts, leading to adverse outcomes that compromise individual empowerment, societal fairness, and personal privacy. In addition, this article identifies important areas for future research and provides recommendations for policymakers to effectively manage the negative aspects of data practices, ensuring sustainability within the digital ecosystem.
Article
Research Summary This study utilized a quantitative analysis of 246 cyberattack incidents reported in the Extremist CyberCrime Database to identify significant predictors of nation‐state‐sponsored cyberattacks relative to those performed by non‐nation‐state‐sponsored ideological actors. Clarke and Newman's Situational Crime Prevention framework for terrorism was used to identify differential opportunities to successfully affect targets on the basis of tools, weapons, and the ability to access targets in online settings. The analysis noted nation‐state‐sponsored attacks were less likely to use high‐visibility attack methods and more likely to utilize attack methods leading to data breaches. In addition, they were more likely to target state governments and military entities relative to ideological actors. Policy Implications Nation‐state attacks are more difficult to identify or mitigate while in process, requiring a more robust national cybersecurity policy framework to be implemented that moves beyond current practices. There is a need to better utilize all aspects of government, from legislation to grant funding, in order to deter cyberattacks from continuing into the future.
Article
As the world's aging population increases, leveraging technology to support aging is proving advantageous. Notably, technology adoption studies among older adults have received increasing scholarly attention, but findings from these studies do not reflect the context of low-income older adults. Studies focusing on low-income older adults were relatively few and it remains unclear which factors influence this group's technology use. This systematic review aims to synthesize findings on factors influencing technology use among low-income older adults to provide directions and opportunities for future research in information systems. Observing the literature through the lens of Social Cognitive Theory, we identified avenues for future research and further integrated the framework with Maslow's hierarchy of needs to elucidate the phenomenon. Findings from this systematic review suggest that both personal and environmental factors, such as cognitions, affects, sociodemographic characteristics, technological and social environment are significant predictors of technology use among low-income older adults. Specifically, factors related to accessibility and affordability, such as income, perceived cost, and accessibility to technology are salient in a resource-limited setting. More importantly, the technology usage behavior elucidate the embeddedness of fundamental human needs which plays a central role underlying technology use among this segment. However, more research is needed to understand the interaction between person, environment and behavior determinant shaping technology use among low-income older adults from diverse economic and cultural setting. This study also sheds light on disciplinary gaps and the lack of investigations anchored on theoretical foundations, and suggests avenues for future research and implications for practice.
Article
Full-text available
Digital identity and access management (IAM) poses significant challenges for companies. Cyberattacks and resulting data breaches frequently have their root cause in enterprises’ IAM systems. During the COVID-19 pandemic, issues with the remote authentication of employees working from home highlighted the need for better IAM solutions. Using a design science research approach, the paper reviews the requirements for IAM systems from an enterprise perspective and identifies the potential benefits of self-sovereign identity (SSI) – an emerging, passwordless paradigm in identity management that provides end users with cryptographic attestations stored in digital wallet apps. To do so, this paper first conducts a systematic literature review followed by an interview study and categorizes IAM system requirements according to security and compliance, operability, technology, and user aspects. In a second step, it presents an SSI-based prototype for IAM, whose suitability for addressing IAM challenges was assessed by twelve domain experts. The results suggest that the SSI-based authentication of employees can address requirements in each of the four IAM requirement categories. SSI can specifically improve manageability and usability aspects and help implement acknowledged best practices such as the principle of least privilege. Nonetheless, the findings also reveal that SSI is not a silver bullet for all of the challenges that today’s complex IAM systems face.
Article
Cloud computing platforms have been one of the best sources for resource computation and service recommendations in the recent years. Users’ reliance on the cloud has increased dramatically during the pandemic period, particularly for data storage and pay-per-use services. Restricted and reliable access control is essential for protecting the data stored in the cloud. The traditional role-based access control techniques are ineffective in multi-tenant computing systems like the cloud. To provide security in cloud computing systems and offer a trusted environment for service providers and service users, we present a trust-oriented role-based access control paradigm in this work. The Trust Management System's reputation is something that TRBAC wants to uphold by ensuring that various cloud threats do not compromise the service requests made and used by individual users. Validation and analysis of the membership credentials of users and roles mapped in the access control list ensure restricted access control in TRBAC. The proposed model intends to assist the data owners in identifying reliable service users and service providers by reviewing the interaction history and assessing direct, indirect, and weighted trust. This paper demonstrates how calculated trust values detect nefarious nodes and recommend defense mechanisms against various security concerns, including the Sybil attack, the On–off attack, the Collusion attack, and the DoS attack. To illustrate the impact of the suggested mitigation techniques and to handle various security concerns, a comparative analysis of the TRBAC model is done with its peers.
Article
Full-text available
Firms continue to face increasing threats of financial and reputational damage from cybersecurity events. Despite increasing scholarly attention, our 25-year review of studies published in leading academic business journals demonstrates that extant research has generally examined antecedents (e.g., technological defenses), with more limited research focusing on managerial responses to or long-term performance outcomes from these events. Accordingly, we chronicle the current state of knowledge of these threats from a management (rather than from an information systems) perspective. We then highlight important future research opportunities for management scholars interested in developing or testing theory related to critical cybersecurity issues. Keywords: cyberrisk management, cybersecurity, crisis management, strategic management of information systems, technology issues of HRM
Conference Paper
Full-text available
Strategic transactions can affect a firm's structural complexity and data breach risk. Mergers and acquisitions increase data breach risk by increasing firm's structural complexity through the addition of new businesses and new IT interlinkages among the firm's existing and newly added businesses. Divestitures reduce firm's data breach risk by reducing the firm's structural complexity through the removal of some business units and associated IT interlinkages. Business partnerships increase firm's structural complexity and data breach risk by opening up the firm's IT environment to third party business partners and creating challenges in joint governance and control of the IT interface and interaction points of the partners. We find support for these ideas in a sample of 9784 U.S. firms during 2005-2017. The proposed theory explains how and why strategic initiatives increase firms' data breach risks.
Article
Full-text available
This paper undertakes a systematic review of the Information Systems Security literature. The literature review consists of three parts: First, we perform topic modeling of major Information Systems journals to understand the field’s debates. Second, we conduct a Delphi Study composed of the Chief Information Security Officers of major corporations in the US to identify security issues that they view as important. Third, we compare Topic Modeling and the Delphi Study results and discuss key debates, gaps, and contradictions within the academic literature. Further, extant Information Systems Security literature is reviewed to discuss where the academic community has placed the research emphasis and what is now required in the discipline. Based on our analysis, we propose a future agenda for Information Systems security research.
Article
Full-text available
Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees' misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping-problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.
Article
Full-text available
Data security breaches (DSBs) are increasing investor and regulator pressure on firms to improve their IT governance (ITG) in an effort to mitigate the related risk. We argue that DSB risk cannot be mitigated by one executive alone, but, rather, is a shared leadership responsibility of the top management team (TMT) (i.e., Chief Executive Officer [CEO], Chief Financial Officer [CFO], and Chief Information Officer [CIO]). Our results suggest that IT-savvy CEOs see technologies related to mitigating DSBs as a top-three most important type of digital methodology for their firm. Similarly, the results related to CFOs with IT expertise single out the critical investment in controls designed to prevent DSBs. Our strong findings for CIOs on the TMT add to the related guidance from COBIT 5 for information security and consistently suggest that they are the key executive for securing IT systems. Finally, our granular explanation of each executive’s DSB-related responsibility could potentially provide firms the start of a governance-led roadmap for compliance to the Securities and Exchange Commission’s and Justice Department’s cyber regulations.
Article
Full-text available
If the mantra “data is the new oil” of our digital economy is correct, then data leak incidents are the critical disasters in the online society. The initial goal of our research was to present a comprehensive database of data breaches of personal information that took place in 2018 and 2019. This information was to be drawn from press reports, industry studies, and reports from regulatory agencies across the world. This article identified the top 430 largest data breach incidents among more than 10,000 data breach incidents. In the process, we encountered many complications, especially regarding the lack of standardization of reporting. This article should be especially interesting to the readers of JDIQ because it describes both the range of data quality and consistency issues found as well as what was learned from the database created. The database that was created, available at https://www.databreachdb.com, shows that the number of data records breached in those top 430 incidents increased from around 4B in 2018 to more than 22B in 2019. This increase occurred despite the strong efforts from regulatory agencies across the world to enforce strict rules on data protection and privacy, such as the General Data Protection Regulation (GDPR) that went into effect in Europe in May 2018. Such regulatory effort could explain the reason why there is such a large number of data breach cases reported in the European Union when compared to the U.S. (more than 10,000 data breaches publicly reported in the U.S. since 2018, while the EU reported more than 160,000 ¹ data breaches since May 2018). However, we still face the problem of an excessive number of breach incidents around the world. This research helps to understand the challenges of proper visibility of such incidents on a global scale. The results of this research can help government entities, regulatory bodies, security and data quality researchers, companies, and managers to improve the data quality of data breach reporting and increase the visibility of the data breach landscape around the world in the future.
Article
Full-text available
Despite the consensus that information security should become an important consideration in information technology (IT) governance rather than the sole responsibility of the IT department, important IT governance decisions are often made on the basis of fulfilling business needs with a minimal amount of attention paid to their implications for information security. We study how an important IT governance mechanism—the degree of centralized decision making—affects the likelihood of cybersecurity breaches. Examining a sample of 504 U.S. higher-education institutions over a four-year period, we find that a university with centralized IT governance is associated with fewer breaches. Interestingly, the effect of centralized IT governance is contingent on the heterogeneity of a university’s computing environment: Universities with more heterogeneous IT infrastructure benefit more from centralized IT decision making. In addition, we find the relationship between centralized governance and cybersecurity breaches is most pronounced in public universities and those with more intensive research activities. Collectively, these findings highlight the tradeoff between granting autonomy and flexibility in the use of information systems and enforcing standardized, organization-wide security protocols.
Article
Full-text available
ABSTRAC Data security incidents are continually increasing; hackers, governments, and other actors increasingly attempt to gain unauthorized access to confidential data. Information systems (IS) users are becoming more vulnerable to the risks of data breaches. Many stakeholders perceive cybersecurity incidents as indicators of firms' operational and technological internal deficiencies. Previous research has revealed that investors react negatively to data breaches, yet little is known about investors' reactions to material data security incidents. Using a sample of 232 data security incidents for 132 publicly traded companies in the United States, the authors applied an event study methodology to discern investors' reactions to material versus immaterial incidents. They also use multivariate regression and time-to-event analysis to examine what determines the degree of investors' reactions, considering several intervals around the event day. The results show that investors perceive material data security incidents as a deficiency of breached companies in comparison to immaterial incidents.
Conference Paper
Full-text available
Companies around the world are faced with challenges in dealing with data breaches. While in Germany companies need to notify the affected and fear to lose their valuable customers, in Bolivia, where rapid digital globalization increases vulnerability, data security overall is not a publicly present topic, and customers are directly exposed to the consequences of security incidents. Our study examines the cultural difference in addressing the digital challenge of recovering from data breaches. We investigate through a scenario-based experiment the effect of compensation and remorse on the customer-company relationship. Our results show that German customers are more likely to demand compensation for a data breach as a recovery action, whereas Bolivian customers are satisfied with an apology. We discuss this finding in the context of cross-cultural values and practical implications for countries that are currently undergoing a rapid rise in technology and are therefore exposed to substantial security risks.
Article
Full-text available
Insiders’ negligence or abuse is considered a leading cause for information security breaches in organizations. As most of the extant studies have largely examined insider threats at a high level of abstraction, the role of situational moral reasoning for information security policy (ISP) violations in specific situations has received little attention. To advance this line of research, this paper opens up a potentially fruitful path for IS researchers by applying the situational action theory (SAT) to contextually examine why employees violate ISPs in particular situations, such as violations of password security policy, Internet use policy, and confidential data security policy, while considering specific violation intents ranging from altruistic to malicious. The results support most of the assertions derived from SAT. Situational moral belief was found to be the predominant driver for ISP violation across three situations in an organizational setting. However, the moderation effect of moral belief was only significant in situations involving sharing passwords and selling confidential data. Sanction certainty and sanction severity were also found to take different effects across situations. Implications for IS security practitioners and suggestions for future research are presented.
Article
Full-text available
We examine whether firms learn from digital technology failures in the form of data breach events, based on the effectiveness of their failure responses. We argue that firms experiencing such technological failures interpret them broadly as organizational problems, and undertake unrelated divestitures and top management turnover to achieve better standardization and to remove dysfunctional routines. We test our hypotheses on unrelated subsidiary divestitures and chief technology officer (CTO) turnovers undertaken by 8,760 publicly traded U.S. firms that were at risk of experiencing data breaches involving the loss of personally identifiable information during the period 2005–2016. We find that data breaches significantly increase the hazard of unrelated divestitures and CTO turnover, and that these failure responses are sensitive to firms’ aspiration-performance feedback. However, whereas unrelated divestitures reduce the reoccurrence of data breaches, CTO turnover has no significant effect. Our findings suggest a corrective role of unrelated divestitures for failure learning, and the symbolic nature of CTO turnover as a failure response. Our study unpacks failure learning that hitherto has been inferred from a firm’s own failure experience and industry-wide failures, and highlights the interplay between the digital and nondigital components of a firm in the understudied context of data breaches. This work is licensed under a Creative Commons Attribution 4.0 International License. You are free to copy, distribute, transmit and adapt this work, but you must attribute this work as “Strategy Science. Copyright © 2020 The Author(s). https://doi.org/10.1287/stsc.2020.0106 , used under a Creative Commons Attribution License: https://creativecommons.org/licenses/by/4.0/ .”
Article
Full-text available
Prior information security studies have largely focused on understanding employee security behavior from a policy compliance perspective. We contend that there is a pressing need to develop a comprehensive understanding of the circumstances that lead to employee commitment of deliberate and malicious acts against organizational digital assets. Drawing on Routine Activity Theory (RAT), we seek to establish a comprehensive model of employee-committed malicious computer abuses (MCA) by investigating the motivations of the offenders, the suitability of the desired targets, and the effect of security guardianship in organizational settings. Specifically, we delineate the effects of the individual characteristics of self-control, hacking self-efficacy, and moral beliefs, and the organizational aspects of deterrence based on the routine activity framework of crime. We test this research model using subjects who held a wide range of corporate positions and varying degrees of computer skills. Our findings offer fresh insights on insider security threats, identify new directions for future research, and provide managers with prescriptive guidance for formulating effective security policies and management programs for preventing MCA in organizations.
Article
Full-text available
As recent cyber-attacks have been increasing exponentially, the importance of security training for employees also has become growing ever than before. In addition, it is suggested that security training and education be an effective method for discerning cyber-attacks within academia and industries. Despite the importance and the necessity of the training, prior study did not investigate the quantitative utility of security training in an organizational level. Due to the absence of referential studies, many firms are having troubles in making decisions with respect to arranging optimal security training programs with limited security budgets. The main objective of this study is to find out a relationship between cybersecurity training and the number of incidents of organizations. Thus, this study quantified the effectiveness of security training on security incidents as the first study. This research examined the relationship among three main factors; education time, education participants, and outsourcing with numbers of cybersecurity incidents. 7089 firm level data is analyzed through Poisson regression method. Based on analysis results, we found that the negative relationship between security trainings and the occurrence of cybersecurity incidents. This study sheds light on the role of security training and education by suggesting its positive association with reducing the number of incidents in organizations from the quantitative perspective. The result of this study can be used as a referential guide for information security training decision-making procedure in organizations.
Article
Full-text available
We investigate the relationship between security breaches and chief information officer (CIO) turnover. Because CIOs are directly responsible for IT performance, we argue that their turnover likelihood is higher when they fail to meet IT performance expectations, as reflected by security breaches. Specifically, we find that breaches caused by system deficiency increase CIO turnover likelihood by 72 percent. However, we find no such association for breaches caused by criminal fraud or human error. We extend our analyses to other executives and document that CEOs are more likely to turn over following breaches caused by both system deficiency and human error, consistent with their broader role within the firm. By contrast, we find no evidence suggesting that CFOs are more likely to turn over following breaches. The findings indicate negative labor market consequences for executives who fail to meet performance expectations within the scope of their duties.
Conference Paper
Full-text available
The number of cybercrimes has exploded as the number of businesses are increasing. Data breaches is one of these security incidents that recently affected Hudson Bay's Co. While many studies have found negative relationship between data breach incidents and online shopping behavior the impact of breach severity on customer behavior has been rarely investigated. In this emergent paper we adapted Sitnik and Weingart's 's risky decision making framework to examine the effect of breach severity on risk perception risk aversion and online shopping intention. In preparation for the full-scope study, an experimental survey was conducted. The results of our pilot study provide evidence that breach severity can have different effects on risk perception.
Article
Full-text available
Technological advances have resulted in organizations digitalizing many parts of their operations. The threat landscape of cyberattacks is rapidly changing and the potential impact of such attacks is uncertain, because there is a lack of effective metrics, tools and frameworks to understand and assess the harm organizations face from cyber-attacks. In this article, we reflect on the literature on harm, and how it has been conceptualized in disciplines such as criminology and economics, and investigate how other notions such as risk and impact relate to harm. Based on an extensive literature survey and on reviewing news articles and databases reporting cyber-incidents, cybercrimes, hacks and other attacks, we identify various types of harm and create a taxonomy of cyber-harms encountered by organizations. This taxonomy comprises five broad themes: physical or digital harm; economic harm; psychological harm; reputational harm; and social and societal harm. In each of these themes, we present several cyber-harms that can result from cyber-attacks. To provide initial indications about how these different types of harm are connected and how cyber-harm in general may propagate, this article also analyses and draws insight from four real-world case studies, involving Sony (2011 and 2014), JPMorgan and Ashley Madison. We conclude by arguing for the need for analytical tools for organizational cyber-harm, which can be based on a taxonomy such as the one we propose here. These would allow organizations to identify corporate assets, link these to different types of cyber-harm, measure those harms and, finally, consider the security controls needed for the treatment of harm.
Article
Full-text available
Healthcare sector is identified as particularly vulnerable to digital data breaches and damages caused by illegal use of personal and confidential information. Facing such dangerous threat medical entities need to estimate financial consequences of potential cyber attack leading to a breach of patients’ data. The paper’s aim is to provide an overview of the consequences of digital data breach in healthcare sector and their financial impact – comparing Polish and global perspective. The research method used was analysis and comparison of international literature, reports, case studies, statistics concerning data breaches in healthcare sector as well as new legal regulations applicable in European Union. The results of the research show that estimations of total digital data breach costs vary widely among various reports and analysis. The main reasons are application of different methods of estimation and lack of complete and reliable databases due to insufficient disclosure of cyber incidents. In addition, the most important conclusion of the paper is that there is an urgent need to conduct research concerning probable data breach costs in Polish healthcare sector, since studies pursued by renowned organisations have not covered Poland so far.
Article
Full-text available
Organisations are highly interested in collecting and analysing customer data to enhance their service offerings and customer interaction. However, individuals increasingly fear how such practices may negatively affect them. Although previous studies have investigated individuals’ concerns about information privacy practices, the adverse consequences people associate with external actors accessing their personal information remain unclear. To mitigate customers’ fears, organisations need to know which adverse consequences individuals are afraid of and how to address those negative perceptions. To investigate this topic, we conducted 22 focus groups with 119 participants. We developed a comprehensive conceptualisation and categorisation of individuals’ perceived adverse consequences of access to their information that includes seven types of consequences: psychological, social, career-related, physical, resource-related, prosecution-related, and freedom-related. Although individuals may limit their interactions with an organisation owing to consequences they associate with both the organisation and other actors, organisations can apply preventive and corrective mechanisms to mitigate some of these negative perceptions. However, organisations’ scope of influence is limited and some fears may be mitigated only by individuals themselves or government regulation, if at all.
Article
This research examines the joint effects of information technology (IT) strategies and security investments on organizational security breaches. We focus on two forms of IT strategies: digitalization and embeddedness in IT outsourcing networks. Our longitudinal analysis of U.S. hospitals demonstrates that IT security investments reduce security breaches in less digitalized organizations but increase security breaches for highly digitalized organizations. Investing in technical network control security systems such as anti-virus and intrusion detection systems reduces external breaches. Implementing identity and access management security systems such as biometric scanning and user authentication decreases internal breaches but increases external breaches. However, organizations’ embeddedness in IT outsourcing networks weakens the impacts of these technologies investments on external breaches but amplifies the negative relationship between identity and access management security systems and internal breaches. Our results offer an alternative understanding of organizational IT security investments and explain contrary results found in prior studies. Practical guidelines on organizational IT security strategies are discussed.
Article
In response to organizations’ increasing vulnerability to data breaches, we present an integrated risk model for data breach management based on a systematic review of the literature. Theoretically, the study extends the body of knowledge on data breach management by identifying and updating conceptualizations of data breach risks (items) and resolutions (actions) and by providing a foundation for organizational responses to emerging data breach incidents (heuristics). Practically, the study provides key insights that practitioners can use to organize and orchestrate effective data breach management based on comprehensive profiles of risk items and resolution techniques.
Article
As signals of internal control weaknesses, cyber security incidents can represent significant risk factors to the quality of financial reporting. We empirically assess the audit quality implications of data breaches for a large sample of US firms. Using a difference-indifference approach based on a matched sample of breached and non-breached firms, we find no evidence that cyber-security incidents result in a decline in audit quality. Instead, we observe positive shifts in four widely-used proxies for audit quality. We document that breached firms (i) experience a decrease in abnormal accruals, (ii) are less likely to report small profits or small earnings increases, (iii) are more likely to be issued a going concern report, and (iv) are less likely to restate their financial statements in the two years following a breach. Our results indicate that auditors effectively offset increases in audit risk through additional substantive testing and audit effort. Our evidence supports the view that auditors have increased their audit risk awareness and put in place adequate procedures to deal with the consequences of cyber-security incidents.
Article
This paper studies the financial consequences of a reported data breach for bank loan terms. Using a staggered difference-in-differences approach with treatment and control samples matched by data breach propensity, we find that firms that have reported data breaches face higher loan spreads and their loans are more likely to require collateral and demand more covenants. The effects are more pronounced when the data breach involves criminal activities or the loss of a large number of records, or when the breached firm belongs to certain industries or has a high IT reputation. Moreover, using the introduction of state mandatory data breach notification laws as an exogenous shock, we find that the negative effect of data breaches on bank loan terms is more significant after these laws took effect. Our evidence also suggests that breached firms that take more remedial actions following the breach incident receive less unfavorable loan terms. JEL Classifications: G10; G12.
Article
Data breaches are now a daily occurrence. What corporate leaders may not realize is that certain actions they are taking in the social responsibility space may, in fact, be placing a proverbial target on their backs. Indeed, there is evidence that the hacking community is not homogeneous, and at least some hackers from both internal and external sources appear to be motivated by what they dislike as opposed to solely financial gain. Recent hacks against the World Health Organization, as a result of its actions (or supposed inactions) related to the COVID-19 pandemic, are a case in point. In this paper, we put forth the idea that espoused positive social performance in areas that are peripheral to core business operations (e.g., philanthropy, recycling programs) can be a detriment to information security, particularly when firms have simultaneous high levels of social concerns (e.g., poor employee relations, product safety concerns, involvement in an environmental controversy). Our results support this outcome. It appears that some perpetrators can “sniff out” firm social actions that attempt to give the appearance of social responsibility and possibly mask poor social performance, and consequently, these firms are victimized by a malicious data breach more often.
Conference Paper
This paper investigates the association between board busyness (i.e., directors with multiple positions) and the occurrence of reported information security incidents. Building on prior studies of board busyness, this paper argues that directors holding multiple board seats may fail to commit the time and effort necessary to ensure the appropriate information security strategy or investment plans are in place. Our results demonstrate that board busyness is positively associated with reported information securityincidents. This effect is larger when independent directors are busy, thus suggesting the importance of the governance role played by independent directors in managing information security risks. The board of directors’ role has been emphasized in anecdotal evidence and IT governance frameworks, but our study empirically demonstrates the board’s relevance in information security strategy and management.
Article
Many small and medium enterprises (SMEs) engage in dyadic information integration partnerships or partial integration with their direct suppliers and customers. They often utilize e-commerce or cloud computing technology platforms hosted by third-party providers to leverage such partnerships. However, information security breaches and disruptions caused by cyberattacks are commonplace in the information technology industry. The effects of said disruptions and breaches on e-commerce businesses under varied disruption conditions are still uncertain. Furthermore, the effect of security breaches on nonparticipating members of the supply chain is poorly understood, especially under various disruption profiles. Using discrete event modeling, in this article, we explore the impact of disruption caused by information security breaches on supply chain performance and the externality effect of partial integration on nonparticipants. We also examine the impact of breach disruption frequency and remediation length on supply chain performance with varying levels of information sharing. These impacts were studied under two typical inventory replenishment policies for SMEs. It was determined that remediation length should be a prioritized factor in impact management and that flexibility in the inventory replenishment policy can help mitigate the impact of information disruption on the inventory performance of businesses, especially that of nonparticipants, in information-sharing partnerships.
Article
Cybersecurity is a serious and growing risk for organizations. Firms with board of director involvement in information technology governance (ITG) may be better equipped to deal with this risk. Yet little is known about the audit committee's role in ITG. This study uses efficiency and institutional theories to investigate the influence of security breaches and boardlevel technology committees on disclosing ITG roles in the audit committee charter. We develop hypotheses and test them using a sample of 189 firms. Results show that firms with a technology committee and a data breach are more likely to disclose ITG roles in the audit committee charter. This suggests that firms experiencing a data breach realize their vulnerability and by already having oversight at the board level, it is more natural for them to increase oversight by assigning ITG roles to the audit committee. We provide implications and areas for future research.
Article
We develop a model where a firm has an optimal exposure to cyber risk. With rational, fully informed agents and with no hysteresis, a successful cyberattack should have no impact on a financially unconstrained target's reputation and post-attack policies. In contrast, when a successful attack involves the loss of personal financial information, there is a significant shareholder wealth loss, which is much larger than the attack's out-of-pocket costs. This excess loss is higher when the attack decreases sales growth more and lower when the board pays more attention to risk management before the attack. Further, an attack decreases a firm's risk appetite, as it beefs up its risk management and information technology and decreases the risk-taking incentives of management. Finally, successful cyberattacks adversely affect the stock price of firms in the target's industry. These results imply that successful attacks with personal financial information loss provide adverse information about cyber risk to target firms, their stakeholders, and their competitors.
Article
A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company.
Article
As social media continues to transform firm–customer interactions, firms must leverage customer reactions to generate actionable insights, especially in contexts (e.g., crisis events) where customer reactions are critical. Using the justice theory, we categorize customer reactions of two firms, Home Depot and Target, during the time-frame of a security hack to understand key themes/topics. We then map the themes/topics to customer sentiments in those reactions. We found that customers associate justice with simple procedures than the experience of dealing with the firm. In addition, it is critical for firms to carefully assess and control customer sentiments on social media during crisis events.
Conference Paper
A security breach often makes companies react by changing their attitude and approach to security within the organization. This paper presents an in-depth case study of post-breach security changes made by a company and the consequences of those changes. We employ the principles of participatory action research and humble inquiry to conduct a long-term study with employee interviews while embedded in the organization’s security division. Despite an extremely high level of financial investment in security, and consistent attention and involvement from the board, the interviews indicate a significant level of friction between employees and security. In the main themes that emerged from our data analysis, a number of factors shed light on the friction: fear of another breach leading to zero risk appetite, impossible security controls making non-compliance a norm, security theatre underminining the purpose of security policies, employees often trading-off security with productivity, and as such being treated as children in detention rather than employees trying to finish their paid jobs. This paper shows that post-breach security changes can be complex and sometimes risky due to emotions often being involved. Without an approach considerate of how humans and security interact, even with high financial investment, attempts to change an organization’s security behaviour may be ineffective.
Article
Effective use of electronic health records (EHRs) is considered an important step toward the goal of improving the quality of U.S. healthcare, while reducing its costs. However, did EHRs and a meaningful use (MU) initiative increase the risk of a breach of patient information as many people were worried about? This study shows that implementing EHRs led to a 3.081 times higher risk of a breach of patient information. This heightened risk was mostly driven by the occurrence of more accidental breaches. Undertaking MU initiatives increased the risk of accidental breaches by 1.771 times, but not the risk of malicious breaches. We also found that these risks increased more among relatively larger hospitals. We conclude that despite recent evidence that the usage of EHRS has improved the quality of healthcare, quality must go hand in hand with the protection of patient information. Thus, we argue that the government’s future revision of the criteria for MU should better reflect the risk of accidental breaches. Our study also suggests that policy makers should carefully address the possible increase in the risk of privacy breaches when considering whether to promote industry-wide adoption of digitized data and processes.
Article
This study provides insight into hackers’ reaction toward an information security breach perpetuated either with an ill or good intention. To our knowledge, limited research is available for promoting understanding of whether intent induces different perceived moral affect (i.e., a perpetrator should have feelings of regret, sorrow, guilt, and shame) which explains the effect of perceived intensity of emotional distress on responsibility judgment. Further, research is sparse on enhancing understanding of whether the nature of a perpetrator’s intent affects the moderating role of consideration of the consequences in the relationship between perceived moral affect and responsibility judgment. Increased understanding of the relationships among perceived moral affect, perceived intensity of emotional distress, consideration of the consequences, and responsibility judgment of an information security breach from the hackers’ perspective may shed light on their continued engagement in the act despite society’s disapproval. Analyzes of the responses of 166 hackers recruited at two major hacker conferences reveal that perceived moral affect mediates the effect of perceived intensity of emotional distress on responsibility judgment only in an ill intention breach, and consideration of the consequences strengthens the relationship between perceived moral affect and responsibility judgment only in a good intention breach.
Article
Persuasion is key to encourage compliance with information security policies through fear appeals, though research has not examined how the perceived quality of their arguments affects threat and coping appraisals. Because we know that perceived argument quality can influence attitudes and behavior, it may improve fear appeal effectiveness. The results of a scenario-based field experiment suggest that perceived argument quality increases response efficacy perceptions and compliance intentions. We also examine emerging heuristics about how to use realism checks in scenario-based research and find that current realism check heuristics in behavioral information security research may be misguided, contributing to biased interpretation.
Article
In this paper, we examine the consequences of data breaches for a breached company. We find the economic consequences are, on average, very small for breached companies. On average, breaches result in less than −0.3 percent cumulative abnormal returns in the short window around the breach disclosure. Except for a few catastrophic breaches, the nominal difference in cumulative abnormal returns between breach companies and the matched companies disappears within days after the breach. We also test whether data breaches affect future accounting measures of performance, audit and other fees, and future Sarbanes-Oxley Section 404 reports of material internal control weaknesses, but find no differences between breach and matched companies. Our results address the question why companies are not spending more to reduce breaches. We conclude by providing a few explanations of why there appears to be an effect at the economy-wide level, but no noticeable effect on individual company performance.
Article
Reputation threats on social media in the aftermath of a data breach is a critical concern to enterprises. We argue that any effort to minimize reputation threats will require an orderly assessment of how reputation threat manifests on social media. Drawing on crisis communication and social media literature, we analyze Twitter postings related to the 2014 Home Depot data breach. We identify a taxonomy of data breach frames and sub-frames and the related reputation threats as manifested by data breach responsibility-attributions and negative emotional responses. Results indicate that reputation threats vary for intentional, accidental, and victim data breach frames. Based on crisis stage theory, we also analyze the dynamics of evolving reputation threats as data breach situation unfolds on social media. Results suggest that the data breach frames and associated reputation threats vary across the crisis stages. Further, intentional and accidental frames increase subsequent responsibility-attributions and negative emotions. Tweets with responsibility-attributions further increase the subsequent generation of reputation-threatening tweets. Negative emotions, particularly anger and disgust, also increase subsequent reputation threats. Our study has implications for enterprise reputation management and word-of-mouth literature. The results yield valuable insights that can guide enterprise strategy for social media reputation management and post data breach intervention.
Article
Certification mechanisms are often employed to assess and signal difficult-to-observe management practices and foster improvement. In the U.S. healthcare sector, a certification mechanism called meaningful-use attestation was recently adopted as part of an effort to encourage electronic health record (EHR) adoption while also focusing healthcare providers on protecting sensitive healthcare data. This new regime motivated us to examine how meaningful-use attestation influences the occurrence of data breaches. Using a propensity score matching technique combined with a difference-in-differences (DID) approach, our study shows that the impact of meaningful-use attestation is contingent on the nature of data breaches and the time frame. Hospitals that attest to having reached Stage 1 meaningful-use standards observe fewer external breaches in the short term, but do not see continued improvement in the following year. On the other hand, attesting hospitals observe short-term increases in accidental internal breaches but eventually see long-term reductions. We do not find any link between malicious internal breaches and attestation. Our findings offer theoretical and practical insights into the effective design of certification mechanisms.
Article
In current business climate, a firm's information systems security is no longer independent from the industry's broader security environment. A question arises, then, whether stock market values reflect the interdependence of security breaches and investments. In this paper, we used the event study methodology to investigate how a firm's security breaches and IT security investments influence its competitors. We collected and reviewed 118 information security breaches and 98 IT security investment announcements from 2010 to 2017. We found substantial evidence supporting our hypothesis that information security breaches do, indeed, have a competition effect: when one firm is breached, its competitors have opportunities to absorb market power. For the IT security investment announcements, however, we observed the positive externalities, or contagion effect, in play: market investors feel that the security investments made by one firm increase the security level of the entire network, and hence, competitors also get benefits. Additionally, we found that the competition effect was higher when the breaches occurred after the preceding security investments than when there were no preceding investments before the breaches.
Article
We study the association between firms’ disclosures in Forms 10-K of the existence of trade secrets, and cyber theft of corporate data (which we refer to as “Breaches”). Prior academic research explaining occurrence of Breaches is scarce, and no prior study has focused specifically on Breaches that likely target trade secrets. We provide such evidence, and our use of Form 10-K contents related to trade secrets is a first step toward determining whether corporations actually attract Breach activity through their public disclosures. We find that firms mentioning the existence of trade secrets have a significantly higher subsequent probability of being Breached relative to firms that do not do so. Our results are stronger among younger firms, firms with fewer employees, and firms operating in less concentrated industries. By conducting a battery of additional tests, we attempt to go beyond merely establishing correlations to provide evidence whether such proprietary information can actually attract cyber attacks. Specifically, our results are robust to additional control variables, an instrumental variable approach, firm fixed effects, and a propensity score matching technique.